Aucun résultat trouvé

Votre recherche n'a donné aucun résultat.

Nous vous suggérons d’essayer ce qui suit pour trouver ce que vous recherchez :

  • Vérifiez l’orthographe de votre recherche par mot clé.
  • Utilisez des synonymes pour le mot clé que vous avez saisi, par exemple, essayez « application » au lieu de « logiciel ».
  • Essayez l’une des recherches les plus utilisées ci-dessous.
  • Lancez une nouvelle recherche.
Questions fréquentes

Compliance

Open all Close all
  • Australian Prudential Regulation Authority (APRA)

    The Australian Prudential Regulation Authority (APRA) is the prudential regulator of financial services in Australia. APRA is responsible for issuing standards that regulate the operations of banks, credit unions, and insurance companies that operate business in Australia. Oracle is not an APRA-regulated entity (ARE). However, Oracle recognizes that some of its customers must adhere to APRA standards, and will work with its customers in a transparent and engaging manner to understand their specific requirements.

    Oracle has been committed to delivering on the needs of public and private sector organisations for over four decades. Oracle Cloud reinforces and extends this commitment by enabling regulated organisations as well as government agencies to move critical resources to an in-country cloud service, which has been designed for their needs and to facilitate their compliance objectives.

    To help ARE customers with their APRA regulatory requirements, Oracle has consolidated and summarized frequently asked questions into one document. These questions have been identified as being critical in the mitigation of risks associated with information security incidents and customer confidentiality for AREs. For further information, see the APRA Regulated Entity Frequently Asked Questions (PDF).
    For further assistance, submit your APRA inquires here.

  • C5

    The Cloud Computing Compliance Controls Catalog (C5) is produced by the German Ministry for Information Security (BSI), and is a set of minimum controls that cloud providers should have in place with the goal of establishing a baseline for cloud security. C5 is audited under ISAE 3000 rules, and Oracle has been evaluated by a third-party assessor against the C5 security requirements.

    Oracle Cloud Infrastructure

    • API Gateway
    • Announcements
    • Application Migration
    • Archive Storage
    • Audit
    • Block Volume
    • Cloud Shell
    • Compute
    • Container Engine for Kubernetes
    • Data Flow
    • Data Science
    • Data Transfer
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • Digital Assistant
    • Distributed Denial of Service (DDoS) Protection
    • Email Delivery
    • Events
    • FastConnect
    • File Storage
    • Functions
    • Health Checks
    • Identity and Access Management (IAM)
    • Load Balancing
    • Marketplace – Consumer
    • Monitoring
    • MySQL as a Service
    • Notifications
    • Object Storage
    • Oracle Cloud VMWare Provisioning Service (OCVP)
    • Registry
    • Resource Manager
    • Streaming
    • Vault
    • Virtual Cloud Network (VCN)
    • Web Application Firewall (WAF)
  • The Central Bank of Brazil (BACEN)

    The Central Bank of Brazil (BACEN) was passed in April 2018 to establish a series of digital security requirements for financial institutions that are regulated by the bank authority. The legislation covers all financial institutions that offer services or have operations involving data handling in Brazil. OCI has implemented security controls supporting its infrastructure that aligns with the BACEN framework.

  • The Communications and Information Technology Commission (CITC CCRF)

    The Communications and Information Technology Commission (CITC) in Saudi Arabia published a Cloud Computing Regulatory Framework (CCRF) based on international best practices and analysis that outlines the rights and obligation of cloud service providers and cloud customers in Saudi Arabia. Cloud service providers must register with CITC to demonstrate alignment with this framework. Oracle has built its infrastructure to support and is Level-1 certified with CITC for Oracle Cloud Infrastructure.

  • CJIS—Criminal Justice Information Services

    The Criminal Justice Information Services (CJIS) Security Policy establishes guidelines for specific security precautions to protect criminal justice information (CJI), such as fingerprints and criminal backgrounds.

    Oracle has obtained a third-party assessment of available security controls for certain cloud services against the technical requirements of Criminal Justice Information Services (CJIS) within our Oracle Government Cloud environments.

    Oracle Cloud Infrastructure

    • Audit
    • Block Volume
    • Compute
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • DDoS Protection
    • FastConnect
    • Identity and Access Management (IAM)
    • Load Balancing
    • Networking
    • Object Storage
    • Virtual Cloud Networks (VCN)

    Oracle SaaS

    • Oracle Enterprise Resource Planning
    • Oracle Human Capital Management
    • Oracle Supply Chain Management
    • Oracle Customer Experience Cloud
    • Oracle B2C Service (Service Cloud, OPA, RightNow CX)
  • CSA Star Level 2

    The Cloud Security Alliance (CSA) is a not-for-profit organization that promotes best practices for providing security assurance in cloud computing.

    Oracle has been assessed by an independent auditor against CSA Security Trust, Assurance and Risk (STAR) Level 2 for Oracle Cloud Infrastructure. STAR attestation leverages a rigorous assessment performed by a reputable, third-party that affirms OCI has implemented necessary security controls.

    This assessment is based on the CSA Cloud Controls Matrix and controls from SOC 2 and ISO 27001.

    In addition, Oracle has completed a STAR Level 1 self-assessment for Oracle Cloud Infrastructure.

    • API Gateway
    • Announcements
    • Application Migration
    • Archive Storage
    • Audit
    • Block Volume
    • Cloud Shell
    • Compute
    • Container Engine for Kubernetes
    • Data Flow
    • Data Science
    • Data Transfer
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • Digital Assistant
    • Distributed Denial of Service (DDoS) Protection
    • Email Delivery
    • Events
    • FastConnect
    • File Storage
    • Functions
    • Health Checks
    • Identity and Access Management (IAM)
    • Load Balancing
    • Marketplace – Consumer
    • Monitoring
    • MySQL as a Service
    • Notifications
    • Object Storage
    • Oracle Cloud VMWare Provisioning Service (OCVP)
    • Registry
    • Resource Manager
    • Streaming
    • Vault
    • Virtual Cloud Network (VCN)
    • Web Application Firewall (WAF)
  • Cyber Essentials Plus

    Cyber Essentials is a UK government-backed model that identifies the technical security controls an organization needs within their IT systems to defend against common cyber threats. It can help demonstrate that an organization can identify and mitigate potential cyber risks, has adopted security controls to protect customer data, and is compliant with UK government requirements to bid for UK government contracts. Cyber Essentials PLUS covers the same requirements as Cyber Essentials, but the tests of the systems are carried out by an authorized, external certifying body.

    Oracle has obtained Cyber Essentials Plus certification for our London-based Commercial Cloud and UK Government Cloud offerings.

    Oracle Cloud Infrastructure

    Oracle has achieved Cyber Essentials Plus Certification for Oracle Cloud Infrastructure residing in the UK Commercial Cloud.

    • Archive Storage
    • Audit
    • Block Volume
    • Compute
    • Container Engine for Kubernetes
    • Distributed Denial of Service (DDoS) Protection
    • Data Transfer
    • Database–Bare Metal
    • Database–Exadata
    • Database–Virtual Machine
    • FastConnect
    • File Storage
    • Health Checks
    • Identity and Access Management
    • Load Balancing
    • Monitoring
    • Virtual Cloud Networks (VCN)
    • Notifications
    • Object Storage
    • Registry
    • Resource Manager
    • Streaming
    • Vault

    Oracle SaaS

    Oracle has achieved Cyber Essentials Plus Certification for the following services for the UK Gov Cloud only:

    • EPM: Enterprise Performance Reporting
    • EPM: Enterprise Planning and Budgeting
    • EPM: Financial Consolidation and Close
    • EPM: Planning and Budgeting
    • EPM: Profitability and Cost
    • EPM: Tax Reporting
    • Oracle Enterprise Resource Planning
    • Oracle Human Capital Management
    • Oracle Customer Experience Cloud
    • Oracle Enterprise Performance Management (EPM): Account Reconciliation
    • Oracle B2C Service (Service Cloud, OPA, RightNow CX)
    • Oracle Talent Acquisition Cloud (Taleo)
  • DISA SRG—Defense Information Systems Agency, Security Requirements Guide

    The Defense Information Systems Agency (DISA) Cloud Computing Security Requirements Guide (CC SRG) outlines how the DoD will assess the security posture of non-DoD cloud service providers (CSPs) and how non-DoD CSPs can show they meet the security controls and requirements. These baseline cloud security requirements are required before handling any DoD data.

    All cloud computing is required to take place in the U.S and are based off of impact levels:

    • Impact Level 2: Data cleared for public release (note: Level 1 was combined with Level 2)
    • Impact Level 4: Controlled unclassified information (CUI) over NIPRNet. CUI includes protected health information (PHI), privacy information (PII) and export controlled data (note: Level 3 was combined with Level 4)
    • Impact Level 5: Higher sensitivity CUI, mission-critical information, or NSS over NIPRNet
    • Impact Level 6: Classified data over SIPRNet

    For select services Oracle has received Department of Defense (DoD) Provisional Authorizations at Impact Levels 5, 4, and 2.

    Oracle Cloud Infrastructure (IL2 and IL5)

    • Audit
    • Block Volume
    • Compute
    • Database - Bare Metal
    • Database - Exadata
    • FastConnect
    • Identity and Access Management
    • Load Balancing
    • Object Storage
    • Vault
    • Virtual Cloud Network (VCN)

    Oracle SaaS

    Oracle has achieved a DISA SRG Level 4 Accreditation for the following services within the Oracle DoD Cloud:

    • Oracle B2C Service (Service Cloud, OPA, RightNow CX)
    • Oracle Enterprise Resource Planning
    • Oracle Human Capital Management
    • Oracle Supply Chain Management
    • Oracle Customer Experience Cloud

    Oracle has achieved a DISA SRG Level 2 Authorization for the following services within the Gov Cloud:

    • Oracle Service Cloud (OPA and RightNow CX)
    • Oracle Talent Acquisition Cloud (Taleo)
  • ENISA - Information Assurance Framework

    The European Network and Information Security Agency (ENISA) is a European agency that contributes to European cybersecurity policy and supporting member state and other stakeholders of the union, when large-scale cyber incidents occur.

    ENISA has created a set of assurance criteria called the Information Assurance Framework (IAF) that is designed to help consumers of cloud services to:

    • Assess the risk of adopting cloud services
    • Compare different cloud providers offerings
    • Obtain assurances from the selected cloud providers
    • Reduce the assurance burden on cloud providers

    This framework is based on the broad classes of controls from the ISO27001/2 standard, alongside other industry frameworks such as the Cloud Security Alliance (CSA) Cloud Control Matrix (CCM).

    Oracle’s SaaS have obtained CSA Star Level 2 certification for Fusion on OCI and a certified ISMS against the ISO27001:2013, 27017:2015 & 27018:2014 standard. These certifications can help consumers of cloud services to review Oracle security controls and the alignment of these Oracle cloud services to ENISA IAF, and how these controls compare to their requirements, and to other cloud providers, when conducting their assurance activities and/or risk assessments in migrating to the cloud.

  • Esquema Nacional de Seguridad (ENS) High

    Law 11/2007 in Spain establishes a legal framework to give citizens electronic access to government and public services. Aligned with ISO/IEC 27001, the framework defines a set of security controls for availability, authenticity, integrity, confidentiality, and traceability. The certification establishes security standards that apply to all government agencies and public organizations in Spain, as well as related service providers. Oracle has been evaluated by a third-party assessor against ENS High security controls.

    Oracle Cloud Infrastructure

    • Archive Storage
    • Audit
    • Autonomous Data Warehouse
    • Autonomous Transaction Processing
    • Block Volume
    • Cloud Analytics
    • Compute
    • Container Engine for Kubernetes
    • DDoS Protection
    • Domain Name System (DNS)
    • Data Transfer
    • Database–Bare Metal
    • Database–Exadata
    • Database 2-Node RAC
    • Email Delivery
    • FastConnect
    • File Storage
    • Identity and Access Mgmt.
    • Load Balancing
    • Virtual Cloud Network (VCN)
    • Object Storage
    • Registry
    • Storage Gateway
    • Vault
  • EU Model Clauses

    EU Model Clauses are contractual clauses established by the European Commission and used in agreements between cloud service providers and their customers that govern data transfers from data controllers in the EU to data controllers established outside the EU or European Economic Area (EEA). OCI has implemented security controls supporting its infrastructure that align with EU Model Clauses for Oracle Cloud Infrastructure.

  • FedRAMP—Federal Risk and Authorization Management Program

    The Federal Risk and Authorization Management Program (FedRAMP) is a US government-wide program that provides a standard approach to the security assessment, authorization, and continuous monitoring for cloud products and services. US Federal agencies are directed by the Office of Management and Budget (OMB) to leverage FedRAMP to ensure security is in place when accessing cloud products and services.

    FedRAMP uses the NIST Special Publication 800-53, which provides a catalog of security controls for all US Federal information systems. FedRAMP requires cloud service providers (CSP) to receive an independent security review performed by a third-party assessment organization (3PAO) to ensure authorizations are compliant with the Federal Information Security Management Act (FISMA).

    The following Oracle Cloud Services have received US Federal Risk and Authorization Management Program (FedRAMP) Provisional Authority to Operate (P-ATOs) and Authority to Operate (ATOs) defined by FedRAMP.

    Visit FedRAMP Marketplace for more details.

    Oracle Cloud Infrastructure (FedRAMP High JAB P-ATO)

    Oracle Cloud Infrastructure can provide government customers with the stringent standards of security necessary to protect the federal government's data. Oracle has obtained a P-ATO from the Joint Authorization Board (JAB) for FedRAMP High in its U.S. Government Cloud regions.

    • Announcements
    • Audit
    • Block Volume
    • Compute
    • Compute Monitoring
    • Container Engine for Kubernetes
    • Database - Bare Metal
    • Database - Exadata
    • Digital Assistant
    • Events
    • FastConnect
    • File Storage
    • Identity and Access Management
    • Linux-Yum Repo
    • Load Balancing
    • Metering
    • Notifications
    • Object Storage
    • Private Endpoints
    • Registry
    • Resource Manager
    • Streaming
    • Terraform
    • Vault
    • Virtual Cloud Network (VCN)

    Oracle SaaS

    Oracle has achieved FedRAMP Low (baseline) Authorization to Operate for the following Oracle US Government Cloud offering:

    • Oracle Enterprise Performance Management (EPM)

    Oracle has achieved FedRAMP Moderate (baseline) Authorizations to Operate for the following services within Oracle US Government Cloud:

    • Oracle Enterprise Resource Planning
    • Oracle Human Capital Management
    • Oracle Talent Acquisition Cloud (Taleo)
    • Oracle Supply Chain Management
    • Oracle Customer Experience Cloud
    • Oracle B2C Service (Service Cloud, OPA, RightNow CX)

    Oracle has achieved FedRAMP High (baseline) Authorization to Operate for the following Oracle US Gov Cloud offering:

    • Oracle Government Cloud–Common Controls
  • FIPS 140-2—Federal Information Processing Standards Publication 140-2

    Oracle has obtained a third-party assessment of available security controls for certain Cloud Services against the technical requirements of US Federal Info Processing Standard (FIPS 140-2) within our Oracle Government Cloud environments.

    The Federal Information Processing Standard Publication 140-2 (FIPS 140-2) is a US government security standard that specifies the security requirements related to the design and implementation of cryptographic modules protecting sensitive data. Cryptographic module protection within a security system is needed to maintain the confidentiality and integrity of the data protected by the module.

    Oracle SaaS

    • Oracle B2C Service (Service Cloud, OPA, RightNow CX)
    • Oracle Talent Acquisition Cloud (Taleo)
  • FISC—Financial Industry Information Systems

    The Center for Financial Industry Information Systems (FISC), created by the Japanese Ministry of Finance, consists of financial institutions, insurance companies and securities firms, as well as computer manufacturers and telecommunication companies. The organization established the FISC Security Guidelines in 1985. These guidelines provide basic standards in architecture and operation on information systems for banking and other related financial institutions. Oracle has been evaluated by a third-party assessor against the Financial Industry Information Systems (FISC) v9 security guidelines.

    Oracle Cloud Infrastructure

    • Archive Storage
    • Audit
    • Block Volume
    • Compute
    • Container Engine for Kubernetes
    • Container Registry
    • Domain Name System (DNS)
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • FastConnect
    • File Storage
    • Identity and Access Management
    • Load Balancing
    • Object Storage
    • Tagging
    • Virtual Cloud Network (VCN)

    Oracle Cloud Infrastructure Classic

    • Database
    • Database backup
    • Java Cloud Service (JCS)
    • Oracle Compute Classic Service
    • Oracle Container Classic Service
    • Oracle Storage Cloud Service
    • SOA Suite

    Oracle PaaS

    • Oracle Autonomous Data Warehouse Cloud Service
    • Oracle Autonomous Transaction Processing Cloud Service
  • G-Cloud 12

    The UK Government G-Cloud is a procurement initiative to streamline cloud-computing procurement by public-sector bodies in departments of the United Kingdom Government. The G-Cloud Framework enables public entities to purchase cloud services on government-approved contracts through an online Digital Marketplace. Oracle has registered as part of G-Cloud 12 in order to streamline the ability of Her Majesty's Government to procure and deploy on Oracle's cloud, with pre-negotiated terms and pricing. Oracle has achieved enablement in this marketplace for Oracle Cloud Infrastructure.

    Oracle Cloud Infrastructure

    • Application Development Services
    • Compute
    • Container Native Services
    • Content Services
    • Data Flow
    • Data Integration
    • Data Transfer Appliance
    • Database Backup Service
    • Domain Name System (DNS)
    • DNS Traffic Management
    • Email Delivery
    • Enterprise Integration
    • FastConnect
    • Health Checks
    • Identity and Access Management
    • Identity Cloud Service
    • Load Balancing
    • Management Services
    • Monitoring
    • Notifications
    • Outbound Data Transfer
    • Streaming
    • Vault
    • Oracle Analytics Cloud
    • Oracle Autonomous Data Warehouse (Dedicated Infrastructure)
    • Oracle Autonomous Data Warehouse (Serverless)
    • Oracle Autonomous Transaction Processing (Dedicated Infrastructure)
    • Oracle Autonomous Transaction Processing (Serverless)
    • Oracle Big Data Service
    • Oracle Cloud Web Application Firewall (WAF)
    • Oracle Data Science
    • Oracle Database Cloud Service - Bare Metal
    • Oracle Database Cloud Service - Virtual Machine
    • Oracle Exadata Cloud Service
    • Oracle NoSQL Database Cloud
    • Oracle Storage Cloud Services

    Oracle PaaS

    • Autonomous Data Warehouse
    • Autonomous Transaction Processing
    • Database Backup
  • GDPR—General Data Protection Regulation

    Oracle offers a wide range of security solutions to help customers meet requirements of the GDPR, including services for administrative access controls, network security controls, logging, and encryption.

    Oracle Cloud Infrastructure Privacy Features (PDF)

    Oracle Cloud Infrastructure Security (PDF)

    Oracle Cloud Infrastructure and European Union General Data Protection Regulation (GDPR) (PDF)

    Oracle Cloud Infrastructure Security Capabilities and Services

  • Hébergeur de Données de Santé

    Hébergeur de Données de Santé (HDS) is an audit leading to certification in France. It is required for doing business with customers who control, store, process, or transmit French healthcare information. HDS covers physical infrastructure providers and managed IT providers. The security and privacy of French healthcare information is governed by French law and the EU General Data Protection Regulation. Oracle has achieved HDS certification for Oracle Cloud Infrastructure and Oracle Software as a Service.

    • API Gateway
    • Announcements
    • Application Migration
    • Archive Storage
    • Audit
    • Block Volume
    • Cloud Shell
    • Compute
    • Container Engine for Kubernetes
    • Domain Name System (DNS)
    • Data Flow
    • Data Science
    • Data Transfer
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • Digital Assistant
    • Distributed Denial of Service (DDoS) Protection
    • Email Delivery
    • Events
    • FastConnect
    • File Storage
    • Functions
    • Gen2 ExaC@C
    • Health Checks
    • Identity and Access Management (IAM)
    • Load Balancing
    • Marketplace – Consumer
    • Monitoring
    • MySQL as a Service
    • Notifications
    • Object Storage
    • Oracle Cloud VMWare Provisioning Service (OCVP)
    • Registry
    • Resource Manager
    • Streaming
    • Vault
    • Virtual Cloud Network (VCN)
    • Web Application Firewall (WAF)
  • HIPAA—Health Insurance Portability and Accountability Act

    The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is US legislation that provides data privacy and security provisions for safeguarding Protected Health Information (PHI). HIPAA applies to covered entities and business associates.

    The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of protected health information (PHI). The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach of unsecured PHI. By law, the Privacy Rule applies only to covered entities (e.g., health plans, health care clearinghouses and certain health care providers). However, parts may be applicable to business associates.

    Oracle has successfully completed third-party HIPAA assessments for the following services within commercial and government data centers located both inside and outside the United States.

    Oracle Cloud Infrastructure

    • API Gateway
    • Announcements
    • Application Migration
    • Archive Storage
    • Audit
    • Block Volume
    • Cloud Shell
    • Compute
    • Container Engine for Kubernetes
    • Data Flow
    • Data Science
    • Data Transfer
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • Digital Assistant
    • Distributed Denial of Service (DDoS) Protection
    • Email Delivery
    • Events
    • FastConnect
    • File Storage
    • Functions
    • Health Checks
    • Identity and Access Management (IAM)
    • Load Balancing
    • Marketplace – Consumer
    • Monitoring
    • MySQL as a Service
    • Notifications
    • Object Storage
    • Oracle Cloud VMWare Provisioning Service (OCVP)
    • Registry
    • Resource Manager
    • Streaming
    • Vault
    • Virtual Cloud Network (VCN)
    • Web Application Firewall (WAF)

    Oracle Cloud Infrastructure Classic

    Oracle has successfully completed third-party HIPAA assessments for the following services within commercial and government data centers located both inside and outside the United States:

    • Storage Classic
    • Compute Classic
    • Dedicated Compute Classic
    • FastConnect Classic
    • Container Classic
    • Messaging Cloud Service

    Oracle PaaS

    Oracle has successfully completed third-party HIPAA assessments for the following services within commercial and government data centers located both inside and outside the United States:

    • Oracle Analytics Cloud
    • Oracle Analytics Cloud – Classic
    • Oracle Applications Program Platform Interface (API) Platform Cloud
    • Oracle Applications Container Cloud
    • Oracle Autonomous Database
    • Oracle Big Data Cloud
    • Oracle Big Data Preparation Cloud
    • Oracle Blockchain Platform
    • Oracle Business Intelligence Cloud
    • Oracle Content and Experience
    • Oracle Data Integration Platform Cloud
    • Oracle Data Visualization Cloud
    • Oracle Database Backup Cloud
    • Oracle Database Classic Cloud
    • Oracle Database Exadata Cloud
    • Oracle Database Cloud Schema
    • Oracle Developer Cloud
    • Oracle Digital Assistant
    • Oracle Identity Cloud
    • Oracle Integration Cloud
    • Oracle Internet of Things Cloud
    • Oracle Java Cloud
    • Oracle Java Cloud – SaaS Extension
    • Oracle NoSQL Database Cloud
    • Oracle Management Cloud
    • Oracle Mobile Cloud
    • Oracle Mobile Hub
    • Oracle Process Cloud
    • Oracle SOA Cloud
    • Oracle Visual Builder
    • Oracle WebCenter Portal Cloud

    Oracle SaaS

    Oracle has successfully completed third party HIPAA assessments for the following services:

    • B2B Marketing Automations (Oracle Eloqua Marketing Automation)
    • Oracle Enterprise Resource Planning
    • Oracle Human Capital Management
    • Oracle Supply Chain Management
    • Oracle Customer Experience Cloud
    • Oracle B2C Service (Service Cloud, OPA, RightNow CX)

    Oracle Gen 2 Exadata Cloud at Customer

    Oracle has successfully completed a third party HIPAA assessment for Oracle Gen 2 Exadata Cloud at Customer.

  • The Information Security Management System

    The Information Security Management System is a Korea-specific set of control requirements developed from proven security standards to ensure consistent and secure cloud operations. Cloud service providers in South Korea are required to obtain the ISMS certification upon reaching a revenue threshold that OCI already exceeds. Oracle has achieved ISMS certification for the Oracle Cloud Infrastructure.

  • The Insurance Regulatory and Development Authority of India (IRDAI)

    The Insurance Regulatory and Development Authority of India (IRDAI) has established directives that include outsourcing and risk management guidelines and requirements for compliance with privacy rules governing sensitive data within the financial services sector. Oracle Cloud Infrastructure services offer controls which can help support the IRDAI compliance needs of finance and insurance customers in India.

  • IRAP—Information Security Registered Assessor Program

    The Information Security Registered Assessor Program (IRAP) is a security compliance framework comprised of security assessment processes and a security assessor program. It was developed by the Australia Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) within the Australian government. IRAP supports Australian commonwealth government entities in maintaining their security assurance and risk management as well as assessing cloud service providers and their cloud services’ security controls against the Australian government security policies and guidelines.

    Oracle SaaS

    The following Oracle Cloud Applications have been assessed by an independent third-party assessor and qualified for IRAP’s PROTECTED level:

    • Oracle Enterprise Resource Planning
    • Oracle Human Capital Management
    • Oracle Supply Chain Management

    The following Oracle Cloud Applications were assessed by an independent third-party assessor and qualified for IRAP’s Official: Sensitive level:

    • Oracle Customer Experience Cloud (Sales)
    • Oracle Enterprise Performance Management
    • Oracle B2C Service (Service Cloud, OPA, RightNow CX)
  • IRS 1075—Internal Revenue Service Publication 1075

    The Internal Revenue Service Publication 1075 (IRS 1075) is a US government guideline to ensure effective security controls are in place to protect Federal Tax Information (FTI). The IRS 1075 assessment report provides information on the available technical safeguards intended to adequately protect the confidentiality and integrity of FTI.

    Oracle has obtained a third-party assessment of available security controls for certain cloud services against the technical requirements of US Internal Revenue Service Publication 1075 within our Oracle Government Cloud environments.

    Oracle SaaS

    • Oracle Enterprise Resource Planning
    • Oracle Human Capital Management
    • Oracle Supply Chain Management
    • Oracle Customer Experience Cloud
    • Oracle B2C Service (Service Cloud, OPA, RightNow CX)
  • ISO/IEC ISO 20000-1:2018—International Organization for Standardization ISO 20000-1

    International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 20000-1:2018 specifies requirements for establishing, implementing, maintaining and continually improving a service management system (SMS). An SMS supports the management of the service lifecycle, including the planning, design, transition, delivery and improvement of services, which meet agreed requirements and deliver value for customers, users and the organization delivering the services. Oracle has achieved ISO/IEC 20000-1:2018 certification for Oracle Cloud Infrastructure.

    • API Gateway
    • Announcements
    • Application Migration
    • Archive Storage
    • Audit
    • Block Volume
    • Cloud Shell
    • Compute
    • Container Engine for Kubernetes
    • Domain Name System (DNS)
    • Data Flow
    • Data Science
    • Data Transfer
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • Digital Assistant
    • Distributed Denial of Service (DDoS) Protection
    • Email Delivery
    • Events
    • Gen2 ExaC@C
    • FastConnect
    • File Storage
    • Functions
    • Health Checks
    • Identity and Access Management (IAM)
    • Load Balancing
    • Marketplace – Consumer
    • Monitoring
    • MySQL as a Service
    • Notifications
    • Object Storage
    • Oracle Cloud VMWare Provisioning Service (OCVP)
    • Registry
    • Resource Manager
    • Streaming
    • Vault
    • Virtual Cloud Network (VCN)
    • Web Application Firewall (WAF)
  • ISO/IEC 27001:2013—International Organization for Standardization 27001

    ISO/IEC 27001:2013 is an international standard that covers the planning, implementation, monitoring, and improvement of an Information Security Management System. This widely adopted global security standard sets out requirements and best practices for a systematic approach to managing company and customer information based on periodic security risk assessments.

    Oracle has achieved International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS), additionally, ISO 27017 has been included within scope of our ISO/IEC 27001:2013 certification.

    Oracle Cloud Infrastructure

    Oracle has successfully completed ISO/IEC 27001:2013 audits for Oracle Cloud Infrastructure and Oracle Edge Services.

    • API Gateway
    • Announcements
    • Application Migration
    • Archive Storage
    • Audit
    • Block Volume
    • Cloud Shell
    • Compute
    • Container Engine for Kubernetes
    • Domain Name System (DNS)
    • Data Flow
    • Data Science
    • Data Transfer
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • Digital Assistant
    • Distributed Denial of Service (DDoS) Protection
    • Email Delivery
    • Events
    • Gen2 ExaC@C
    • FastConnect
    • File Storage
    • Functions
    • Health Checks
    • Identity and Access Management (IAM)
    • Load Balancing
    • Marketplace – Consumer
    • Monitoring
    • MySQL as a Service
    • Notifications
    • Object Storage
    • Oracle Cloud VMWare Provisioning Service (OCVP)
    • Registry
    • Resource Manager
    • Streaming
    • Vault
    • Virtual Cloud Network (VCN)
    • Web Application Firewall (WAF)

    Oracle Infrastructure Classic

    • Oracle Cloud Infrastructure Dedicated Compute Classic
    • Oracle Cloud Infrastructure Compute Classic
    • Oracle Cloud Infrastructure Container Classic Service
    • Oracle Cloud Infrastructure Storage Classic
    • Oracle Cloud Infrastructure FastConnect Classic
    • Oracle Messaging Cloud Service

    Oracle PaaS

    Oracle has achieved ISO/IEC 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS) consumed by all SaaS, PaaS, and Oracle Cloud Infrastructure Classic services, in all data centers where these services reside. Additionally, ISO 27017 has been included within scope of our ISO/IEC 27001:2013 certification.

    Services include:

    • Oracle Analytics Cloud
    • Oracle Analytics Cloud – Classic
    • Oracle Application Program Interface (API) Platform Cloud Service
    • Oracle Application Container Cloud Service
    • Oracle Autonomous Database
    • Oracle Big Data Cloud Service
    • Oracle Big Data Preparation Cloud Service
    • Oracle Blockchain Platform
    • Oracle Business Intelligence Cloud Service
    • Oracle Content and Experience
    • Oracle Data Integration Platform Cloud
    • Oracle Data Visualization Cloud Service
    • Oracle Database Backup Cloud Service
    • Oracle Database Classic Cloud Service
    • Oracle Database Exadata Cloud Service
    • Oracle Database Cloud Schema Service
    • Oracle Developer Cloud Service
    • Oracle Digital Assistant
    • Oracle Identity Cloud Service
    • Oracle Integration Cloud Service
    • Oracle Internet of Things Cloud Service
    • Oracle Java Cloud Service
    • Oracle Java Cloud Service – SaaS Extension
    • Oracle Management Cloud
    • Oracle Mobile Cloud Service
    • Oracle Mobile Hub
    • Oracle NoSQL Database Cloud Service
    • Oracle Process Cloud Service
    • Oracle SOA Cloud Service
    • Oracle Visual Builder
    • Oracle WebCenter Portal Cloud Service

    Oracle SaaS

    Oracle has achieved International Standards Organization (ISO)/International Electrotechnical Commission (IEC) 27001:2013 certification for the Oracle Cloud Information Security Management System (ISMS), additionally, ISO/IEC 27017:2015 and ISO/IEC 27018:2014 codes of practices have been included within scope of our ISO/IEC 27001:2013 certification.

    Oracle Gen 2 Exadata Cloud at Customer

    Oracle has successfully completed an ISO/IEC 27001:2013 audit for Oracle Gen 2 Exadata Cloud at Customer.

  • ISO/IEC 27017:2015—Code of Practice for Information Security Controls Based on ISO/IEC 27002 for Cloud Services

    Conducted by EY/CertifyPoint BV, Amsterdam, Netherlands, Oracle Cloud Infrastructure’s ISO/IEC 27017:2015 audit examines cloud service specific controls, implementation guidance and other information that are intended to mitigate the risks that accompany the technical and operational features of cloud services. This certification demonstrates Oracle’s ongoing commitment to align with globally recognized good practice for information security controls for cloud services.

    Oracle Cloud Infrastructure

    • API Gateway
    • Announcements
    • Application Migration
    • Archive Storage
    • Audit
    • Block Volume
    • Cloud Shell
    • Compute
    • Container Engine for Kubernetes
    • Domain Name System (DNS)
    • Data Flow
    • Data Science
    • Data Transfer
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • Digital Assistant
    • Distributed Denial of Service (DDoS) Protection
    • Email Delivery
    • Events
    • Gen2 ExaC@C
    • FastConnect
    • File Storage
    • Functions
    • Health Checks
    • Identity and Access Management (IAM)
    • Load Balancing
    • Marketplace – Consumer
    • Monitoring
    • MySQL as a Service
    • Notifications
    • Object Storage
    • Oracle Cloud VMWare Provisioning Service (OCVP)
    • Registry
    • Resource Manager
    • Streaming
    • Vault
    • Virtual Cloud Network (VCN)
    • Web Application Firewall (WAF)

    Oracle Cloud Infrastructure Classic

    • Oracle Cloud Infrastructure Dedicated Compute Classic
    • Oracle Cloud Infrastructure Compute Classic
    • Oracle Cloud Infrastructure Container Classic Service
    • Oracle Cloud Infrastructure Storage Classic
    • Oracle Cloud Infrastructure FastConnect Classic
    • Oracle Messaging Cloud Service

    Oracle PaaS

    • Oracle Analytics Cloud
    • Oracle Analytics Cloud – Classic
    • Oracle Application Program Interface (API) Platform Cloud Service
    • Oracle Application Container Cloud Service
    • Oracle Autonomous Database
    • Oracle Big Data Cloud Service
    • Oracle Big Data Preparation Cloud Service
    • Oracle Blockchain Platform
    • Oracle Business Intelligence Cloud Service
    • Oracle Content and Experience
    • Oracle Data Integration Platform Cloud
    • Oracle Data Visualization Cloud Service
    • Oracle Database Backup Cloud Service
    • Oracle Database Classic Cloud Service
    • Oracle Database Exadata Cloud Service
    • Oracle Database Cloud Schema Service
    • Oracle Developer Cloud Service
    • Oracle Digital Assistant
    • Oracle Identity Cloud Service
    • Oracle Integration Cloud Service
    • Oracle Internet of Things Cloud Service
    • Oracle Java Cloud Service
    • Oracle Java Cloud Service – SaaS Extension
    • Oracle Management Cloud
    • Oracle Mobile Cloud Service
    • Oracle Mobile Hub
    • Oracle NoSQL Database Cloud Service
    • Oracle Process Cloud Service
    • Oracle SOA Cloud Service
    • Oracle Visual Builder
    • Oracle WebCenter Portal Cloud Service
  • ISO/IEC 27018:2014—Code of Practice for Protection of Personally Identifiable Information (PII) In Public Clouds Acting as PII Processors

    Conducted by EY/CertifyPoint, Oracle Cloud Infrastructure’s ISO/IEC 27018:2014 audit examines a common set of security categories and controls that can be implemented by a public cloud computing service provider acting as a PII processor. ISO/IEC 27018:2014 is based on the information security objectives and controls in ISO/IEC 27002. This certification demonstrates to Oracle customers that Oracle Cloud Infrastructure has implemented appropriate measures to protect Personally Identifiable Information (PII) for a public cloud computing environment.

    Oracle Cloud Infrastructure

    • API Gateway
    • Announcements
    • Application Migration
    • Archive Storage
    • Audit
    • Block Volume
    • Cloud Shell
    • Compute
    • Container Engine for Kubernetes
    • Domain Name System (DNS)
    • Data Flow
    • Data Science
    • Data Transfer
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • Digital Assistant
    • Distributed Denial of Service (DDoS) Protection
    • Email Delivery
    • Events
    • Gen2 ExaC@C
    • FastConnect
    • File Storage
    • Functions
    • Health Checks
    • Identity and Access Management (IAM)
    • Load Balancing
    • Marketplace – Consumer
    • Monitoring
    • MySQL as a Service
    • Notifications
    • Object Storage
    • Oracle Cloud VMWare Provisioning Service (OCVP)
    • Registry
    • Resource Manager
    • Streaming
    • Vault
    • Virtual Cloud Network (VCN)
    • Web Application Firewall (WAF)

    Oracle Cloud Infrastructure Classic

    • Oracle Cloud Infrastructure Dedicated Compute Classic
    • Oracle Cloud Infrastructure Compute Classic
    • Oracle Cloud Infrastructure Container Classic Service
    • Oracle Cloud Infrastructure Storage Classic
    • Oracle Cloud Infrastructure FastConnect Classic
    • Oracle Messaging Cloud Service

    Oracle PaaS

    • Oracle Analytics Cloud
    • Oracle Analytics Cloud – Classic
    • Oracle Application Program Interface (API) Platform Cloud Service
    • Oracle Application Container Cloud Service
    • Oracle Autonomous Database
    • Oracle Big Data Cloud Service
    • Oracle Big Data Preparation Cloud Service
    • Oracle Blockchain Platform
    • Oracle Business Intelligence Cloud Service
    • Oracle Content and Experience
    • Oracle Data Integration Platform Cloud
    • Oracle Data Visualization Cloud Service
    • Oracle Database Backup Cloud Service
    • Oracle Database Classic Cloud Service
    • Oracle Database Exadata Cloud Service
    • Oracle Database Cloud Schema Service
    • Oracle Developer Cloud Service
    • Oracle Digital Assistant
    • Oracle Identity Cloud Service
    • Oracle Integration Cloud Service
    • Oracle Internet of Things Cloud Service
    • Oracle Java Cloud Service
    • Oracle Java Cloud Service – SaaS Extension
    • Oracle Management Cloud
    • Oracle Mobile Cloud Service
    • Oracle Mobile Hub
    • Oracle NoSQL Database Cloud Service
    • Oracle Process Cloud Service
    • Oracle SOA Cloud Service
    • Oracle Visual Builder
    • Oracle WebCenter Portal Cloud Service
  • The International Traffic in Arms Regulations (ITAR)

    The International Traffic in Arms Regulations, or ITAR, is a set of government rules that control the export and import of defense-related articles, services and technology. ITAR compliance is required for customers that are subject to export regulations and that must ensure technical data is not inadvertently distributed to foreign persons or foreign nations. Oracle is aligned with ITAR requirements.

  • Korean Financial Security Initiative (FSI) Framework

    The Financial Service Committee (FSC) of Korea is responsible for monitoring and assessing the security of all Korean Financial Institutions to ensure compliance with the Korean FSI Framework. OCI has been evaluated by the FSC of Korea against the Korean FSI security controls. This certification enables Korean financial sector customers to leverage OCI as their cloud services provider within the region.

    • Archive Storage
    • Audit
    • Block Volume
    • Compute
    • Container Engine for Kubernetes
    • Data Transfer
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • Distributed Denial of Service (DDoS) Protection
    • FastConnect
    • File Storage
    • Health Checks
    • Identity and Access Management
    • Load Balancing
    • Monitoring
    • Virtual Cloud Network (VCN)
    • Notifications
    • Object Storage
    • Registry
    • Resource Manager
    • Streaming
    • Vault
  • Law Enforcement Requests Report

    Oracle publishes this report to provide information regarding informational requests submitted to us by law enforcement agencies and governments globally.

    Download the report (PDF)

  • Lei Geral de Proteção de Dados (LGPD)

    Brazil’s Lei Geral de Proteção de Dados (LGPD) was passed in August 2018 to promote and protect privacy and to regulate how Brazilian companies handle personal information. The legislation covers all companies that offer services or have operations involving data handling in Brazil. OCI has implemented security controls supporting its infrastructure that aligns with the LGPD framework.

  • MARS-E—Minimum Acceptable Risk Standards for Exchanges

    The Minimum Acceptable Risk Standards for Exchanges (MARS-E) is a suite of documents assembled by the Centers for Medicare & Medicaid Services (CMS). The CMS has oversight responsibility of Exchange information technology (IT) systems. The suite of documents defines a risk-based Security and Privacy Framework for Exchange information technology (IT) system design and implementation. The document suite includes guidance, requirements, and templates that address the mandates of the Patient Protection and Affordable Care Act of 2010 (ACA).

    Oracle has obtained a third-party assessment of available security controls for certain Cloud Services against the technical requirements of US Minimum Acceptable Risk Standards for Exchanges (MARS-E) within our Oracle Government Cloud environments.

    Oracle SaaS

    • Oracle B2C Service (Service Cloud, OPA, RightNow CX)
    • Oracle Enterprise Resource Planning
    • Oracle Human Capital Management
    • Oracle Supply Chain Management
    • Oracle Customer Experience Cloud
  • My Number Act

    In Japan, My Number is a 12-digit ID number issued to all citizens and residents of Japan (even foreign residents). Similar to the US SSN, the number is used for taxation, social security, and disaster-response purposes. The numbers were first issued in late 2015, and the bill includes a provision about protection of specific personal information. The My Number Act is designed to improve efficiency and transparency of government systems in Japan and to protect personal information of each number holder. Oracle has designed and implemented security controls around its infrastructure technology stack; customers can architect, build, and maintain security for their own applications and workloads.

  • NIST 800-171/DFARS 252.7012—National Institute of Standards and Technology Special Publication 800-171 / Defense Federal Acquisition Regulation Supplement 252.7012

    The National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171) “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). Federal agencies use the requirements in contractual vehicles or other agreements established between those agencies and nonfederal organizations. The requirements apply to all nonfederal information systems and organizations that process, store, or transmit CUI.

    Oracle has obtained a third-party assessment of available security controls for certain cloud services against the technical requirements of NIST 800-171 and DFARS 252.7012 within our Oracle Government Cloud environments.

    Oracle SaaS

    • Oracle Enterprise Resource Planning
    • Oracle Human Capital Management
    • Oracle Supply Chain Management
    • Oracle Customer Experience Cloud
    • Oracle B2C Service (Service Cloud, OPA, RightNow CX)
    • Oracle Talent Acquisitions Cloud (Taleo)
    • Oracle Enterprise Performance Management (EPM)
  • National Center of Incident Readiness and Strategy for Cybersecurity (NISC)

    The National Center of Incident Readiness and Strategy for Cybersecurity (NISC) in Japan works to establish common standards for cybersecurity for government agencies. The NISC governing body is responsible for monitoring government related organizations that handle large volumes of personal information in and out of the cloud sector. NISC has designed a wide range of security guidelines to for government entities to follow, which promote efficient and effective cyber security measures and legal compliance. Oracle has been evaluated by a third-party assessor against NISC guidelines for the following services:

    Oracle Cloud Infrastructure

    • Archive Storage
    • Audit
    • Block Volume
    • Compute
    • Container Engine for Kubernetes
    • Container Registry
    • Domain Name System (DNS)
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • FastConnect
    • File Storage
    • Identity and Access Management
    • Load Balancing
    • Object Storage
    • Tagging
    • Virtual Cloud Network (VCN)

    Oracle Cloud Infrastructure Classic

    • Database
    • Database backup
    • Java Cloud Service (JCS)
    • Oracle Compute Classic Service
    • Oracle Container Classic Service
    • Oracle Storage Cloud Service
    • SOA Suite

    Oracle PaaS

    • Oracle Autonomous Data Warehouse Cloud Service
    • Oracle Autonomous Transaction Processing Cloud Service
  • National Cybersecurity Authority

    The Saudi Arabian National Cybersecurity Authority (NCA) was established by Royal Decree to guide national organizations “to effectively identify and address risks related to cyber security” for a defined set of sectors serving critical infrastructure for Saudi Arabia. Oracle’s implementation of cloud infrastructure is consistent with these security models and makes available a set of security controls for customer use in their own implementations. This allows Oracle to provide services in the region, including specific infrastructure security controls that customers can use to implement and operate their own platforms and applications, sharing responsibility to meet the requirements of the authority’s cybersecurity controls. OCI has implemented security controls supporting its infrastructure that align with NCA for:

    Oracle Cloud Infrastructure

    • Archive Storage
    • Audit
    • Block Volume
    • Compute
    • Database–Bare Metal
    • Database–Exadata
    • FastConnect
    • Identity and Access Management
    • Load Balancing
    • Object Storage
    • Vault
    • Virtual Cloud Network (VCN)
  • PCI DSS—Payment Card Industry Data Security Standard

    The Payment Card Industry Data Security Standard (PCI DSS) is a global set of security standard designed to encourage and enhance cardholder data security and promote the adoption of consistent data security measures around the technical and operational components related to cardholder data.

    Oracle has successfully completed a Payment Card Industry Data Security Standard (PCI DSS) audit and received an Attestation of Compliance (AoC) for Oracle Cloud Infrastructure, Oracle Gen 2 Exadata Cloud at Customer, Oracle PaaS, and Oracle SaaS services noted below.

    Oracle Cloud Infrastructure

    • API Gateway
    • Announcements
    • Application Migration
    • Archive Storage
    • Audit
    • Autonomous Database on Dedicated Exadata Infrastructure
    • Block Volume
    • Cloud Shell
    • Compute
    • Container Engine for Kubernetes
    • Data Catalog
    • Data Flow
    • Data Science
    • Data Transfer
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • Digital Assistant
    • Distributed Denial of Service (DDoS) Protection
    • Email Delivery
    • Events
    • FastConnect
    • File Storage
    • Functions
    • Health Checks
    • Identity Cloud Service (IDCS)
    • Identity and Access Management (IAM)
    • Load Balancing
    • Marketplace – Consumer
    • Monitoring
    • MySQL as a Service
    • Notifications
    • Object Storage
    • Oracle Cloud VMWare Provisioning Service (OCVP)
    • Registry
    • Resource Manager
    • Streaming
    • Vault
    • Virtual Cloud Network (VCN)

    Oracle PaaS

    • Oracle Identity Cloud Service (IDCS)

    Oracle SaaS

    • Oracle CX Commerce (Oracle Commerce Cloud)
    • Oracle B2C Service (Service Cloud, OPA, RightNow CX)
  • PIPEDA—Canadian Personal Information Protection and Electronic Documents Act

    The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) is a data privacy law in Canada that applies to many organizations based in Canada that collect and process the personal information of individuals.

    Oracle Cloud Infrastructure Privacy Features (PDF)

    Oracle Cloud Infrastructure Privacy and Security Features and PIPEDA (PDF)

  • Privacy Shield Framework

    Oracle provides a broad range of hosted, remote and on-site computer-based services to our customers, including cloud services, consulting services and advanced customer support services, technical support services and training services. Privacy Shield frameworks provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States. In order to join a Privacy Shield Framework, US corporations must self-certify to the Department of Commerce and commit to the Framework’s requirements. OCI has implemented security controls supporting its infrastructure that aligns with the Privacy Shield obligations for Oracle Cloud Infrastructure.

  • Protected B

    Federal government contracts in Canada contain clauses with security requirements that specify levels of security for sensitive information, assets and work sites. The Canadian government has established levels for protection of information and assets, and Level B applies to information or assets whose loss or damage could cause serious injury to an individual, organization or government. OCI has implemented security controls supporting its infrastructure that aligns with Protected B.

    Oracle Cloud Infrastructure

    • Audit
    • Bare Metal
    • Block Volume
    • Compute
    • Database – Virtual Machine
    • Exadata
    • FastConnect
    • File Storage
    • Identity and Access Management
    • Virtual Cloud Networks (VCN)
    • Object Storage
    • Storage Gateway
    • Vault
  • The Reserve Bank of India (RBI)

    The Reserve Bank of India (RBI) has established directives that include outsourcing and risk management guidelines and requirements for compliance with privacy rules governing sensitive data within the financial services sector. Oracle Cloud Infrastructure (OCI) services offers controls which can help support the RBI and IRDAI compliance needs of finance and insurance customers in India.

  • Saudi Arabian Monetary Authority (SAMA)

    The Saudi Arabian Monetary Authority (SAMA) of the Kingdom of Saudi Arabia has established a Cyber Security Framework to enable financial institutions regulated by SAMA to effectively identify and address risks related to cyber security. SAMA states that “To maintain the protection of information assets and online services, the Member Organizations must adopt the Framework.” The SAMA Cyber Security Framework provides a baseline for security of information interchange between Member Organizations, and between Member Organizations and SAMA. The Framework consists of 32 control topics grouped into four areas. These controls generally map to either or both the ISO/IEC 27001 controls and the PCI-DSS controls, consistent with SAMA’s stated intent to facilitate financial operations, modernization, and information exchange. Oracle Cloud Infrastructure implementation of cloud infrastructure is consistent with these security models and makes available a set of security controls for customer use in their own implementations. OCI has implemented security controls supporting its infrastructure that align with SAMA:

    Oracle Cloud Infrastructure

    • Archive Storage
    • Audit
    • Block Volume
    • Compute
    • Database – Bare Metal
    • Database–Exadata
    • FastConnect
    • Identity and Access Management
    • Load Balancing
    • Object Storage
    • Vault
    • Virtual Cloud Networks (VCN)
  • SOC 1—System and Organization Controls 1

    SOC 1 is a report on a service organization controls relevant to internal control over financial reporting. A “type 1” report focuses on the suitability of the system's design of its controls to achieve the control objectives. A “type 2” report includes the “type 1” report opinions; additionally, it includes an opinion on the operating effectiveness of the controls to achieve the control objectives as well as a description of the service auditor’s tests of the controls and results.

    Oracle Cloud Services have been assessed using the American Institute of Certified Public Accountants (AICPA) Statement on Standards for Attestation Engagements (SSAE) No. 18 (System and Organization Controls (SOC) 1) and the International Auditing and Assurance Standards Board (IAASB) International Standard of Assurance Engagements (ISAE) 3402 standards for the suitability of the design and operating effectiveness of the specified controls.

    Oracle Cloud Infrastructure—SOC 1 Type 2

    • API Gateway
    • Announcements
    • Application Migration
    • Archive Storage
    • Audit
    • Block Volume
    • Cloud Shell
    • Compute
    • Container Engine for Kubernetes
    • Data Flow
    • Data Science
    • Data Transfer
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • Digital Assistant
    • Distributed Denial of Service (DDoS) Protection
    • Email Delivery
    • Events
    • FastConnect
    • File Storage
    • Functions
    • Health Checks
    • Identity and Access Management (IAM)
    • Load Balancing
    • Marketplace – Consumer
    • Monitoring
    • MySQL as a Service
    • Notifications
    • Object Storage
    • Oracle Cloud VMWare Provisioning Service (OCVP)
    • Registry
    • Resource Manager
    • Streaming
    • Vault
    • Virtual Cloud Network (VCN)
    • Web Application Firewall (WAF)

    Oracle Cloud Infrastructure Classic—SOC 1 Type 2

    • Storage Classic
    • Compute Classic
    • Dedicated Compute Classic
    • FastConnect Classic
    • Container Classic
    • Messaging Cloud Service

    Oracle PaaS—SOC 1 Type 2

    • Oracle Analytics Cloud
    • Oracle Analytics Cloud – Classic
    • Oracle Applications Program Platform Interface (API) Platform Cloud
    • Oracle Applications Container Cloud
    • Oracle Autonomous Database
    • Oracle Big Data Cloud
    • Oracle Big Data Preparation Cloud
    • Oracle Blockchain Platform
    • Oracle Business Intelligence Cloud
    • Oracle Content and Experience
    • Oracle Data Integration Platform Cloud
    • Oracle Data Visualization Cloud
    • Oracle Database Backup Cloud
    • Oracle Database Classic Cloud
    • Oracle Database Exadata Cloud
    • Oracle Database Cloud Schema
    • Oracle Developer Cloud
    • Oracle Digital Assistant
    • Oracle Identity Cloud
    • Oracle Integration Cloud
    • Oracle Internet of Things Cloud
    • Oracle Java Cloud
    • Oracle Java Cloud – SaaS Extension
    • Oracle NoSQL Database Cloud
    • Oracle Management Cloud
    • Oracle Mobile Cloud
    • Oracle Mobile Hub
    • Oracle Process Cloud
    • Oracle SOA Cloud
    • Oracle Visual Builder
    • Oracle WebCenter Portal Cloud

    Oracle SaaS—SOC 1 Type 2

    • Oracle CPQ Cloud Service (BigMachines)
    • Cobrowse Cloud Service (LiveLook)
    • Oracle B2B Marketing Automation (Oracle Eloqua Marketing Cloud Service)
    • Oracle Enterprise Performance Management (EPM)
    • Oracle Field Service Cloud Service (TOA)
    • Oracle Enterprise Resource Planning
    • Oracle Human Capital Management
    • Oracle Supply Chain Management
    • Oracle Customer Experience Cloud
    • Maxymiser Cloud Service
    • B2C Campaign Management (Responsys Marketing Cloud Service)
    • Oracle B2C Service (Service Cloud, OPA, RightNow CX)
    • Oracle Talent Acquisition Cloud (Taleo)
    • Oracle Talent Cloud for Midsize (TBE)
    • Taleo Learn Cloud Service
    • Transportation Management Cloud Service (OTM)
    • Warehouse Management Cloud (LogFire)
  • SOC 2—System and Organization Controls 2

    SOC 2 is a report on a service organization controls relevant to security, availability, processing integrity, confidentiality, or privacy using up to five trust principles. A given SOC 2 report may be based on one or more trust principles. Similar to a SOC 1 report, SOC 2 also have type 1 or type 2 available.

    Oracle Cloud Services have been assessed using the criteria set forth in paragraph 1.26 of the American Institute of Certified Public Accountants (AICPA) Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) for the suitability of the design and operating effectiveness for the security, availability, and confidentiality principles.

    Oracle Cloud Infrastructure—SOC 2 Type 2

    • API Gateway
    • Announcements
    • Application Migration
    • Archive Storage
    • Audit
    • Block Volume
    • Cloud Shell
    • Compute
    • Container Engine for Kubernetes
    • Data Flow
    • Data Science
    • Data Transfer
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • Digital Assistant
    • Distributed Denial of Service (DDoS) Protection
    • Email Delivery
    • Events
    • FastConnect
    • File Storage
    • Functions
    • Health Checks
    • Identity and Access Management (IAM)
    • Load Balancing
    • Marketplace – Consumer
    • Monitoring
    • MySQL as a Service
    • Notifications
    • Object Storage
    • Oracle Cloud VMWare Provisioning Service (OCVP)
    • Registry
    • Resource Manager
    • Streaming
    • Vault
    • Virtual Cloud Network (VCN)
    • Web Application Firewall (WAF)

    Oracle Cloud Infrastructure Classic—SOC 2 Type 2

    • Storage Classic
    • Compute Classic
    • Dedicated Compute Classic
    • FastConnect Classic
    • Container Classic
    • Messaging Cloud Service

    Oracle PaaS—SOC 2 Type 2

    • Oracle Analytics Cloud
    • Oracle Analytics Cloud – Classic
    • Oracle Applications Program Platform Interface (API) Platform Cloud
    • Oracle Applications Container Cloud
    • Oracle Autonomous Database
    • Oracle Big Data Cloud
    • Oracle Big Data Preparation Cloud
    • Oracle Blockchain Platform
    • Oracle Business Intelligence Cloud
    • Oracle Content and Experience
    • Oracle Data Integration Platform Cloud
    • Oracle Data Visualization Cloud
    • Oracle Database Backup Cloud
    • Oracle Database Classic Cloud
    • Oracle Database Exadata Cloud
    • Oracle Database Cloud Schema
    • Oracle Developer Cloud
    • Oracle Digital Assistant
    • Oracle Identity Cloud
    • Oracle Integration Cloud
    • Oracle Internet of Things Cloud
    • Oracle Java Cloud
    • Oracle Java Cloud – SaaS Extension
    • Oracle NoSQL Database Cloud
    • Oracle Management Cloud
    • Oracle Mobile Cloud
    • Oracle Mobile Hub
    • Oracle Process Cloud
    • Oracle SOA Cloud
    • Oracle Visual Builder
    • Oracle WebCenter Portal Cloud

    Oracle SaaS—SOC 2 Type 2

    • Oracle CPQ Cloud Service (BigMachines)
    • Cobrowse Cloud Service (LiveLook)
    • Oracle B2B Marketing Automation (Oracle Eloqua Marketing Cloud Service)
    • Oracle Enterprise Performance Management (EPM)
    • Oracle Field Service Cloud Service (TOA)
    • Oracle Enterprise Resource Planning
    • Oracle Human Capital Management
    • Oracle Supply Chain Management
    • Oracle Customer Experience Cloud
    • Maxymiser Cloud Service
    • B2C Campaign Management (Responsys Marketing Cloud Service)
    • Oracle B2C Service (Service Cloud, OPA, RightNow CX)
    • Oracle Talent Acquisition Cloud (Taleo)
    • Oracle Talent Cloud for Midsize (TBE)
    • Taleo Learn Cloud Service
    • Transportation Management Cloud Service (OTM)
    • Warehouse Management Cloud (LogFire)
  • SOC 3—System and Organization Controls 3

    SOC 3 is a report, like the SOC 2, on a service organization controls relevant to security, availability, processing integrity, confidentiality, or privacy. However, a SOC 3 can be distributed for general use and only states whether the or not the entity has achieved the Trust Service criteria, without any description of tests, results or opinions.

    Oracle Cloud Services have been assessed using the criteria set forth in paragraph 1.26 of the American Institute of Certified Public Accountants (AICPA) Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC 2®) for the suitability of the design and operating effectiveness for the security, availability, and confidentiality principles. The SOC 3 general use report for whether or not the Trust Service criteria was achieved is available for the following services.

    Oracle Cloud Infrastructure

    • API Gateway
    • Announcements
    • Application Migration
    • Archive Storage
    • Audit
    • Block Volume
    • Cloud Shell
    • Compute
    • Container Engine for Kubernetes
    • Data Flow
    • Data Science
    • Data Transfer
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • Digital Assistant
    • Distributed Denial of Service (DDoS) Protection
    • Email Delivery
    • Events
    • FastConnect
    • File Storage
    • Functions
    • Health Checks
    • Identity and Access Management (IAM)
    • Load Balancing
    • Marketplace – Consumer
    • Monitoring
    • MySQL as a Service
    • Notifications
    • Object Storage
    • Oracle Cloud VMWare Provisioning Service (OCVP)
    • Registry
    • Resource Manager
    • Streaming
    • Vault
    • Virtual Cloud Network (VCN)
    • Web Application Firewall (WAF)

    Read the report (PDF)

  • Three Ministries

    Three government ministries in Japan have developed guidelines to promote cloud security and the safeguarding of data for the medical institutions in Japan. These ministries include:

    • Ministry of Health, Labor and Welfare (MHLW): Guidelines for the Security Management of the Medical Information Systems
    • Ministry of Internal, Affairs and Communications (MIC): Security Management Guidelines for Cloud Service Providers Dealing with Medical Information
    • Ministry of Economy, Trade and Industry (METI): Security Management Guidelines for Information Processing Providers Dealing with Medical Information

    Oracle has been evaluated by a third-party assessor against the security requirements of Three Ministries. The report from Oracle Cloud Infrastructure’s independent assessor is designed to assist the customer in its own compliance efforts with respect to requirements outlined in the guidelines.

    Oracle Cloud Infrastructure

    • Archive Storage
    • Audit
    • Block Volume
    • Compute
    • Container Engine for Kubernetes
    • Container Registry
    • Domain Name System (DNS)
    • Database – Bare Metal
    • Database – Exadata
    • Database – Virtual Machine
    • FastConnect
    • File Storage
    • Identity and Access Management
    • Load Balancing
    • Object Storage
    • Tagging
    • Virtual Cloud Network (VCN)

    Oracle Cloud Infrastructure Classic

    • Database
    • Database backup
    • Java Cloud Service (JCS)
    • Oracle Compute Classic Service
    • Oracle Container Classic Service
    • Oracle Storage Cloud Service
    • SOA Suite

    Oracle PaaS

    • Oracle Autonomous Data Warehouse Cloud Service
    • Oracle Autonomous Transaction Processing Cloud Service
  • TISAX

    The Trusted Information Security Assessment Exchange (TISAX) is a German standard security assessment used by the automotive industry. TISAX is based on the Verband der Automobilindustrie (VDA) Information Security Assessment (ISA), which is an information security requirements catalogue based on key aspects of the international standard ISO/IEC 27001. It is used by companies both for internal purposes and by suppliers and service providers who process sensitive information from their respective companies. Oracle has been evaluated by a third-party assessor against TISAX security requirements for Oracle Cloud Infrastructure.

  • UK NHS DSPT

    The Data Security and Protection Toolkit is a self-assessment tool that measures performance against the United Kingdom's National Health Service 10 data security standards. Any organizations that have access to NHS patient data and systems must use this toolkit to provide assurance that they practice good data security and that personal information is handled correctly. Oracle has submitted their responses and has been rated as "Standards Exceeded".

    The scope of the Oracle assessment includes the following Oracle SaaS services for UK Government Cloud only:

    • Oracle Enterprise Performance Management (EPM)
    • Oracle Enterprise Resource Planning
    • Oracle Human Capital Management
    • Oracle Supply Chain Management
    • Oracle Customer Experience Cloud
    • Oracle B2C Service (Service Cloud, OPA, RightNow CX)
    • Oracle Talent Acquisition Cloud (Taleo)

    Oracle Cloud Infrastructure

    • Archive Storage
    • Audit
    • Bare Metal
    • Block Volume
    • Compute
    • Container Engine for Kubernetes
    • Data Transfer
    • DDoS Protection
    • Exadata
    • FastConnect
    • File Storage
    • Health Checks
    • Identity and Access Management
    • Vault
    • Load Balancing
    • Monitoring
    • Notifications
    • Object Storage
    • Resource Manager
    • Registry
    • Streaming
    • Database – Virtual Machine
    • VCN
  • United Kingdom Cloud Security Principles

    The UK National Cyber Security Centre (NCSC) was created to improve the security of and protect the UK internet and critical services from cyberattacks. The NCSC's 14 HMG Cloud Security Principles outline the requirements that cloud services should meet including considerations for data in-transit protection, supply chain security, identity and authentication, and secure use of the service.

    Oracle provides Assertion Statements which outline how UK Government Cloud offerings align with the UK National Cyber Security Centre (NCSC) Cloud Security Principles.

    Oracle Cloud Infrastructure

    National Cyber Security Centre (NCSC) guidance summarizes 14 essential security principles (the NCSC Cloud Security Principles) to consider when evaluating cloud services and provides context on why these may be important to an organization. Customers should decide which of the NCSC Cloud Security Principles are important and how much (if any) assurance they require in the implementation of these principles. Providers of cloud services should consider NCSC Cloud Security Principles when presenting their offerings to consumers. This will allow them to make informed choices about which services are appropriate for their needs. This technical paper is intended to provide the reader and customers with an understanding of:

    • How Oracle Cloud Infrastructure’s administrative, physical and technical safeguards relevant to security, confidentiality and availability align with NCSC Cloud Security Principles.
    • How the responsibilities for security and implementation of the NCSC guidance are shared between Oracle Cloud Infrastructure (provider of cloud services) and the customer (consumer of cloud services).
    • How the customer can approach information security risk management and implementation of the NCSC Cloud Security Principles guidance using Oracle Cloud Infrastructure services.

    Oracle Cloud Infrastructure

    • Archive Storage
    • Audit
    • Block Volumes
    • Cloud Access Security Broker (CASB) Cloud Service
    • Compute
    • Container Engine for Kubernetes
    • Data Transfer
    • Database–Bare Metal
    • Database–2–node Real Application Clusters (RAC)
    • Database–Autonomous Data Warehouse
    • Database–Autonomous Transaction Processing
    • Database–Exadata
    • Distributed Denial of Service (DDoS) Protection
    • Domain Name System (DNS)
    • Email Delivery
    • FastConnect
    • File Storage Service (FSS)
    • Identity and Access Management (IAM)
    • Load Balancing
    • Object Storage
    • Registry
    • Storage Gateway
    • Vault
    • Virtual Cloud Network (VCN)

    Oracle SaaS

    Oracle has achieved HMG Cloud Security Principles Assertion for the following services for the UK Government Cloud only:

    • Oracle Enterprise Performance Management (EPM)
    • Oracle Enterprise Resource Planning
    • Oracle Human Capital Management
    • Oracle Supply Chain Management
    • Oracle Customer Experience Cloud
    • Oracle B2C Service (Service Cloud, OPA, RightNow CX)
    • Oracle Talent Acquisition Cloud (Taleo)

    Read the technical paper: National Cyber Security Centre (NCSC) Cloud Security Principles (PDF)